Saturday, February 27, 2010

Network Intrusion: The Advanced IPS Evasion Techniques

As most of you may know that the Intrusion Prevention Systems (IPS) should protect vulnerable hosts from remote exploits. However, there are occassions where exploits can apply multiple evasion methods to bypass these detection mechanisms and break into the system. There are many hacking tools which apply multiple IDS/IPS evasion techniques but these tools are more exploit oriented rather than evasion oriented.

IPS signatures can be evaded completely if the protocol stacks do not understand the evasions and normalize the traffic over the network. For example, SMB and MSRPC signatures should not worry about fragmentation, padding, extra methods or other randomizations. More of these examples are discussed below.

IP Random Options

-Fill IP Packet with random Options-If the target host and the IPS device disagree about the validity of the packet, the target host may see different data than the IPS.

TCP Time Wait

-Open and close a TCP connection. Open a new TCP-connection to the same service using the same TCP-source port. According the TCP RFC, the TCP client MUST wait "TIME-Wait Delay" amount of seconds before reusing a port.

-If the attacker uses his own TCP/IP Stack, he can open and close a TCP-connection and immediately open a new TCP connection using the same source port.

TCP Urgent Pointer

-Insert one byte into a TCP-stream.-TCP-Server chooses whether to use or discard the added byte.-An IPS device inspection can be evaded by clever use of the urgent pointer.-Example: TCP Stream: GETP / (P is urgent data) IPS looks: GETP / Apache looks: GET /

SMB Session Mixing

It is possible to use multiple resources over the same SMB-session within the single TCP-connection at same time. Simultaneously read and write into multiple files.

SMB Write/Read Padding

-The write and read commands have an offset pointer that can be used for padding.-All data after the SMB header till the pointed byte should be discarded.

MSRPC Alter Context

The client may change the current context using the Alter Context Method. All subsequent requests then go to the new context.Example: The client binds to non vulnerable context and then changes into a vulnerable context and sends the exploit.

-MSRPC evasion, --msrpc_evasion:big_endian Communicate in big endian formatrandom_object: Add a random object reference to MSRPC requestsalter_context: Bind to a random context and then alter to the correct ip